立即与支持人员聊天
与支持团队交流

Identity Manager 9.2.1 - Administration Guide for Connecting to Google Workspace

Mapping a Google Workspace environment in One Identity Manager Synchronizing a Google Workspace customer
Setting up initial synchronization of a Google Workspace customer Customizing the synchronization configuration for Google Workspace Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing Google Workspace user accounts and identities
Account definitions for Google Workspace user accounts Assigning identities automatically to Google Workspace user accounts Manually linking identities to Google Workspace user accounts Supported user account types Specifying deferred deletion for Google Workspace user accounts
Login credentials for Google Workspace user accounts Managing Google Workspace entitlement assignments Mapping Google Workspace objects in One Identity Manager
Google Workspace customers Google Workspace user accounts Google Workspace groups Google Workspace products and SKUs Google Workspace organizations Google Workspace domains Google Workspace domain aliases Google Workspace admin roles Google Workspace admin privileges Google Workspace admin role assignments Google Workspace external email addresses Reports about Google Workspace objects
Handling of Google Workspace objects in the Web Portal Basic configuration data for managing a Google Workspace customer Troubleshooting the connection to a Google Workspace customer Configuration parameters for managing a Google Workspace environment Default project template for Google Workspace API scopes for the service account Processing methods of Google Workspace system objects Special features in the assignment of Google Workspace groups

Synchronizing a Google Workspace customer

One Identity Manager supports synchronization with Google Workspace. The One Identity Manager Service is responsible for synchronizing data between the One Identity Manager database and Google Workspace.

This sections explains how to:

  • Set up synchronization to import initial data from a customer in to the One Identity Manager database.
  • Adjust a synchronization configuration, for example, to synchronize different customers with the same synchronization project.
  • Start and deactivate the synchronization.
  • Analyze synchronization results.

TIP: Before you set up synchronization with a customer, familiarize yourself with the Synchronization Editor. For more information about this tool, see the One Identity Manager Target System Synchronization Reference Guide.

Detailed information about this topic

Setting up initial synchronization of a Google Workspace customer

The Synchronization Editor provides a project template that can be used to set up the synchronization of user accounts and permissions for the customer. You use these project templates to create synchronization projects with which you import the data from a customer into your One Identity Manager database. In addition, processes are created that are required to provision changes to target system objects from the One Identity Manager database into the target system.

To load customer objects into the One Identity Manager database for the first time

  1. In the customer, prepare a user with sufficient permissions for synchronization.

  2. The One Identity Manager components for managing Google Workspace are available if the TargetSystem | GoogleApps configuration parameter is set.

    • In the Designer, check if the configuration parameter is set. Otherwise, set the configuration parameter and compile the database.

      NOTE: If you disable the configuration parameter at a later date, model components and scripts that are no longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

    • Other configuration parameters are installed when the module is installed. Check the configuration parameters and modify them as necessary to suit your requirements.
  3. Install and configure a synchronization server and declare the server as a Job server in One Identity Manager.
  4. Create a synchronization project with the Synchronization Editor.
Detailed information about this topic

Users and permissions for synchronizing with a Google Workspace customer

The following users play a role in synchronizing One Identity Manager with Google Workspace.

Table 2: Users for synchronization

User

Permissions

User for accessing the target system (synchronization user)

You must provide at least one user with super user permissions and a service account for authentication for full synchronization of customer objects with the supplied One Identity Manager default configuration.

  • The Google cloud platform project requires access to the following API's.

    Admin SDK
    Enterprise License Manager API
    Groups Settings API
  • A service account with the associated JSON key and cross domain Google Workspace delegation is required for authentication.

  • API access must be enabled in the Google Admin console.
  • The service account's client ID must be authorized for various API scopes in the Google Admin console: A list of API scopes is available on the One Identity Manager installation medium. You can use this list as a copy template.

    Directory: Modules\GAP\dvd\AddOn\ApiAccess

    File: GoogleWorkspaceRequiredAPIAccess.txt

For more information, see Setting up the necessary permissions for accessing the Google Workspace customer.

One Identity Manager Service user account

The user account for the One Identity Manager Service requires user permissions to carry out operations at file level (adding and editing directories and files).

The user account must belong to the Domain users group.

The user account must have the Login as a service extended user permissions.

The user account requires permissions for the internal web service.

NOTE: If the One Identity Manager Service runs under the network service (NT Authority\NetworkService), you can grant permissions for the internal web service with the following command line call:

netsh http add urlacl url=http://<IP address>:<port number>/ user="NT AUTHORITY\NETWORKSERVICE"

The user account needs full access to the One Identity Manager Service installation directory in order to automatically update One Identity Manager.

In the default installation, One Identity Manager is installed under:

  • %ProgramFiles(x86)%\One Identity (on 32-bit operating systems)

  • %ProgramFiles%\One Identity (on 64-bit operating systems)

User for accessing the One Identity Manager database

The Synchronization default system user is provided to run synchronization using an application server.

Related topics

Setting up the necessary permissions for accessing the Google Workspace customer

To provide the Google Workspace connector with access to the target system, the required permissions must be set up in two Google web interfaces.

To set up the service account and enable APIs

  1. Open the Google Cloud Platform console (https://console.cloud.google.com).

  2. Log in as the Google Workspace super admin.

  3. Select a project or create a new one.

  4. Enable the APIs Admin SDK, Enterprise License Manager API and Groups Settings API.

  5. Create a service account.

    Table 3: Service account properties

    Property

    Value

    Role

     

    Provide new private key

    Enabled

    Key type

    JSON

    Activate cross-domain Google Workspace delegation

    Enabled

  6. Note the service account's client ID.

    You will need it for setting up the API privileges.

  7. Save the key file locally.

    You will need it for creating the synchronization project.

To enable API access and authorize the service account's client ID for the required API scopes

  1. Open the Google Admin console (https://admin.google.com).

  2. Log in as the Google Workspace super admin.

  3. Enable API access.

  4. Authorize the service account's client ID for the required API scope.

    For more information, see User for accessing the target system (synchronization user).

  5. Set up other users with super admins privileges if necessary.

    Up to eight users with super admin privileges can be used. Each user must log in to Google Workspace at least once and accept the terms of use.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级